I came across this article about VMworld 2007 tonight that discusses security at one point:
Illuminata’s Haff added that hypervisors are no more or less secure than your average operating system.
I am just finishing up a virtualization security report (send me a note if you want to have a look) and actually, I think there is strong evidence that hypervisors are more secure than your average operating system. Considering the very small footprint and lack of user interface requirements, device drivers, etc., they may even be much more secure.
There’s only one problem: In physical to virtual (P2V) migrations, the hypervisor doesn’t replace the operating system, it subordinates it. (It could replace the host operating system of a Type II virtual environment, but that is an entirely different scenario that I don’t believe was intended here).
So the effect of a hypervisor on risk is additive to the risk associated with the operating system, which doesn’t go away. (Even moving the entire kernel into user space doesn’t negate the impact on that particular VM).
This doesn’t mean you shouldn’t go virtual, but you have to consider other places where you can reduce your risk in order to maintain status quo (that is, if you need to).
Pete:
I think most would agree that hypervisor attacks are theoretical at this point, as compared to the VM OS/App vulnerabilities which exist, have established attacks and which are now in “fluid-like” states creating an attack surface that can mutate faster than most security appliances can keep up.
Greg N
@Greg -
I guess by theoretical you mean that they haven’t been found in the wild yet, right? There has been some interesting proof-of-concept and bugfinding work done by Tom Shelton (attack against VMWare’s NAT); Tavis Ormandy (paper on remote code exploits for most virtualization software); and Tom Liston at IntelGuardians (details here slightly less clear).
In any case, I am not sure what point you are making. It seems like you are doing exactly what I am cautioning against – comparing hypervisor security to OS security. My point is that you get your latter situation in either physical or virtual machine. If that is the case, then the hypervisor attack surface, however slight it may be, adds to the attack surface of the VM.
Pete